Hi,

I just stumbled on this piece of code:
https://github.com/curl/curl/blob/01c8db47aa020d426c196f5f4968f710396dc164/lib/vtls/openssl.c#L247

  /* If we get here, it means we need to seed the PRNG using a "silly"
     approach! */
  do {
    unsigned char randb[64];
    int len = sizeof(randb);
    RAND_bytes(randb, len);
    RAND_add(randb, len, (len >> 1));
} while(!RAND_status());

I'd prefer to get an error if (lib)curl cannot seed OpenSSL with enough entropy (AFAICT OpenSSL wants at least 256 bits):
 something is seriously wrong if it can't (e.g. running curl in a chroot without mounting /dev), and I'd rather want to know about it and fix it,
than establish a possibly insecure HTTPS connection (the PRNG might be used to generate ephemeral keys).

Could there be a flag added to libcurl that would cause it to return an error in this case?

P.S. LibreSSL has similar fallbacks, but it operates at a level where it can't return meaningful errors to the user: https://github.com/libressl-portable/openbsd/blob/008544c7f98543dd529c9663a3a7e4903fe2770c/src/lib/libcrypto/arc4random/getentropy_linux.c#L142
libcurl is usually high-level enough that it can report back errors that would be seen by the user.

Best regards,

-- 
Edwin Török | Co-founder and Lead Developer
Skylable open-source object storage: reliable, fast, secure
http://www.skylable.com
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html